Bucket policy
Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.
Bucket policies set permissions for actions with buckets, objects, and object groups.
A policy is triggered when a user makes a request to a resource. As a result, the request is either executed or rejected.
Enabling public access to bucket operations does not override the restrictions set in the access policies.
Note
If a bucket policy with no rules is applied to the bucket, access is denied to all users. To disable request verification for a bucket policy, delete it.
You can set up a bucket policy in the management console or describe it in JSON format using a special scheme to provide the settings through one of the software tools: the Yandex Cloud CLI, AWS CLI, Terraform, or API. To learn more about policy management, see this guide.
Warning
If a bucket communicates with a Hive Metastore cluster, do not assign it a bucket policy; otherwise, the cluster will not be able to write any data to the bucket.
Policy components
A bucket policy consists of rules, a rule consisting of the following basic elements:
- Resource
-
Bucket, object in a bucket (
<bucket_name>/some/key
), or prefix (<bucket_name>/some/path/*
), including an empty prefix to indicate all bucket objects (<bucket_name>/*
). You can specify multiple resources in a rule.Note
A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all objects, specify them as separate resources, such as
samplebucket
andsamplebucket/*
.If you describe a policy in JSON format, a resource must have the
arn:aws:s3:::
prefix, e.g.,arn:aws:s3:::<bucket_name>
.If the resource name contains
?
,*
, or$
, enclose each one of these characters in curly braces ({}
) preceded with$
. For example, a record mapped to a bucket namedmy?bucket
will readmy${?}bucket
. - Action
-
Operations with a resource that will be either denied or allowed by the rule. For more information, see Actions.
- Result
-
Denies or allows the requested action. First, the request is checked against the
Deny
action filter. If there is a match, the request is rejected and no further checks are performed. If it meets theAllow
action filter criteria, the request is allowed. If the request does not trigger any of the filters, it is rejected. - Principal
-
Grantee of the requested permission. It can be an IAM user, federated user, service account, anonymous user, or user group. You can specify a user group in the policy using the Yandex Cloud CLI, AWS CLI, Terraform, and the API.
- Condition
-
Establishes the cases in which the rule will apply.
If multiple conditions are specified simultaneously for a rule or multiple keys are specified simultaneously within a single condition, then such conditions and keys will apply with the
AND
logic.If multiple values are specified simultaneously for one condition key, such values will apply with the
OR
logic.For more information, see Conditions.
Bucket access via the management console
If a bucket has an access policy configured, access to the bucket via the Yandex Cloud management console is disabled by default. To enable bucket access, you need to add a rule in the Statement
section to allow any requests to <bucket_name>/*
or <bucket_name>
from the management console.
Example of a rule for a specific Yandex Cloud user:
{
"Effect": "Allow",
"Principal": {
"CanonicalUser": "<user_ID>"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::<bucket_name>/*",
"arn:aws:s3:::<bucket_name>"
],
"Condition": {
"StringLike": {
"aws:referer": "https://console.yandex.cloud/folders/*/storage/buckets/your-bucket-name*"
}
}
}
Example of using the console.cloud.yandex.* domain together with console.yandex.cloud
If you are using the old domain (console.cloud.yandex.*
) together with the new one (console.yandex.cloud
), set the following policy rules:
{
"Effect": "Allow",
"Principal": {
"CanonicalUser": "<user_ID>"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::<bucket_name>/*",
"arn:aws:s3:::<bucket_name>"
],
"Condition": {
"StringLike": {
"aws:referer": [
"https://console.cloud.yandex.*/folders/*/storage/buckets/your-bucket-name*",
"https://console.yandex.cloud/folders/*/storage/buckets/your-bucket-name*"
]
}
}
}
You can retrieve the user ID by following this guide in the Yandex Identity and Access Management documentation.
Sample configurations
-
Rule that allows an anonymous user to read objects in the bucket over an encrypted connection:
{ "Id": "epd4limdp3dg********", "Version": "2012-10-17", "Statement": [ { "Sid": "f1qqoehl1q53********", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket_name>/*", "Condition": { "Bool": { "aws:SecureTransport": "true" } } } ] }
-
Rule that allows downloading objects only from a specified range of IP addresses:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket_name>/*", "Condition": { "IpAddress": { "aws:SourceIp": "100.101.102.128/30" } } } ] }
-
Rule that prohibits downloading objects from the specified IP address:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::<bucket_name>/*" }, { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket_name>/*", "Condition": { "IpAddress": { "aws:SourceIp": "100.101.102.103" } } } ] }
-
Rule that provides different users with full access only to specific folders – each user to their own:
{ "Version":"2012-10-17", "Statement":[ { "Sid":"User1PermissionsResource", "Effect":"Allow", "Principal": { "CanonicalUser": "<user_ID>" }, "Action": "*", "Resource":["arn:aws:s3:::<bucket_name>/user1path/*"] }, { "Sid":"User1PermissionsPrefix", "Effect":"Allow", "Principal": { "CanonicalUser": "<user_ID>" }, "Action": "s3:ListBucket", "Resource":["arn:aws:s3:::<bucket_name>"], "Condition": { "StringLike": { "s3:prefix": "user1path/*" } } }, { "Sid":"User2PermissionsResource", "Effect":"Allow", "Principal": { "CanonicalUser": "<user_ID>" }, "Action": "*", "Resource":["arn:aws:s3:::<bucket_name>/user2path/*"] }, { "Sid":"User2PermissionsPrefix", "Effect":"Allow", "Principal": { "CanonicalUser": "<user_ID>" }, "Action": "s3:ListBucket", "Resource":["arn:aws:s3:::<bucket_name>"], "Condition": { "StringLike": { "s3:prefix": "user2path/*" } } } ] }
-
Rule that provides each user and service account with full access to a folder with the name matching the user ID or service account ID:
{ "Version":"2012-10-17", "Statement":[ { "Sid": "OwnDirPermissions", "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": ["arn:aws:s3:::<bucket_name>/${aws:userid}/*"] } ] }